Professional Indemnity and cyber coverage – are you prepared for the changes?
Cyber PI Policy

The subject of cyber coverage is increasingly under the spotlight within the insurance market. Clarity and providing adequate cover, where there is ambiguity, is something that all firms will need to consider within the next 12 months.

As the risk landscape continues to evolve, businesses need a clearer picture on where they are covered for cyber-related losses. That’s why your Professional Indemnity policy will soon change to either exclude or affirmatively deal with certain cyber risks.

Let’s start with the basics. Broadly, the intentions of Professional Indemnity and Cyber can be viewed as follows:

Professional Indemnity Cyber
Covers your firm for its civil liability / duty of care to a third party in the course of your professional services.

First party coverage (i.e. your firms losses not your clients’ losses) arising from:

  • Security breach
  • Privacy regulatory claims
  • Cyber extortion
  • Your business interruption and asset restoration
  • Cyber crime (social engineering losses) - note that it rarely covers third party client monies
  • 24/7 breach response – specialist teams support you during the incident

So far it all seems relatively clear. However, in July 2019, Lloyd’s (the London insurance marketplace) issued a Bulletin (Ref Y5258) which sought to address ambiguity under all insurance policies concerning the provision of cyber coverage. This wasn’t just Professional Indemnity but every single class of business that is underwritten in the marketplace ranging from Property, Marine, Aviation, Liability all the way to the most obscure policies.

Insurers and their regulators are concerned that non-cyber policies were inadvertently exposed (and in some cases paying claims) for cyber related losses. It makes sense for underwriters to have certainty whether or not a policy will pay a cyber-related loss, and that risk modelling together with pricing can fairly reflect a defined exposure in this area.

Cyber coverage should be clearly included or excluded under all policies

There have been a number of cases where underwriters may not have known – nor priced into the premium – unintended cyber risk exposure. Two good examples where we have seen claims include:

  1. A business opens for work Monday morning and their plant and machinery have been locked out through a cyber-hack. Unable to manufacture and fulfil client orders, the company suffers a financial loss. Their business interruption insurance policy responds to a loss caused by a cyber-attack which is silent on cyber; neither affirmatively included or excluded within the wording.
  2. A firm suffers a high profile and significant cyber-incident. That firm hasn’t purchased cyber coverage and face a material financial loss as a consequence. A class action is brought from shareholders against the directors as a consequence for not taking a proactive approach to their insurance arrangements. The Directors’ & Officers’ policy responds to the corresponding legal action.

Given the increasing number of cases like these, Lloyd’s believes that the market should therefore adopt best practice by affirmatively including or excluding cyber coverage under all policies.

What are the implications for your Professional Indemnity policy?

Cyber PI Policy

Lloyd’s requirement for clarity on cover for cyber exposure is set out in a process of three phases and is part of its updated strategy for the oversight of cyber risks. Professional Indemnity will be examined in the third phase, being implemented from 1 January 2021. However, whilst that is the deadline, we are already seeing underwriters include affirmative cyber language within their PI policies.

This implementation phase isn’t without controversy as some of the exclusionary language being proposed can have unintended consequences of taking away coverage deemed core to PI.

While you may instinctively focus on the relevance of this exclusion to your first party cyber coverage, you should note that it could exclude claims where a cyber-loss is merely one of the contributing factors, even if not the main causative one.

Reviewing the table in this document, we do not expect PI policies to respond to first party losses. However, if your client suffers a loss (i.e. you fail to provide professional services due to a ransomware event) and it was deemed that a reasonable competent firm should have provisions for such a scenario, then we would expect your PI policy to respond.

Would you like to talk?

If you need any further information or guidance on this subject, or would like to talk to us about your cyber cover requirements, please contact your usual Gallagher representative or call 0800 612 2278.